The EU’s new Digital Operational Resilience Act, or DORA, marks more than a regulatory shift – it’s a call for industry-wide collaboration to secure today’s increasingly interconnected supply chains, according to Justin Kuruvilla, Chief Cyber Security Strategist at Risk Ledger.
The Digital Operational Resilience Act is a comprehensive regulation introduced by the European Union to enhance the financial sector’s resilience against information and communication technology-related disruptions and threats. Regulators acknowledge that financial entities operate within a complex, interconnected supply chain, dependent on critical third-party ICT providers, who themselves are dependent on other suppliers and so on.
As digital transformation in financial services continues to accelerate, it’s more important than ever for businesses to strengthen their cyber defences to mitigate potential risks. As supply chains become more interconnected, the risk of attacks on suppliers grows, underscoring the need for a collective approach towards security.
Regulations such as DORA not only address these challenges head-on but also inspire a bold, proactive approach to cybersecurity that champions collaboration and transparency. These are more than just regulatory requirements; they serve as blueprints to ensure that cybersecurity is at the top of the agenda for businesses with extensive partner networks. By promoting strong governance, enhancing visibility into risks, and encouraging the adoption of automation, DORA sets the stage for a new approach to cyber security and resilience.
With DORA setting the direction, organisations have an opportunity to move from a reactive cybersecurity approach to a proactive one. By implementing robust mechanisms to identify and mitigate risks early, businesses can not only safeguard their assets but foster trust in their partnerships and supply chains.
Limitations of traditional approaches
Traditional third-party risk management (TPRM) approaches are often manual, static, and point-in-time, providing only a snapshot of a supplier’s security posture at the time of assessment. With reviews occurring annually, or even less frequently, organisations lack real-time visibility into emerging risks. DORA addresses this gap by mandating continuous monitoring capabilities, enabling financial entities to obtain more accurate and timely risk assessments of their suppliers.
Addressing traditional limitations in TPRM will enable a fundamental goal of DORA – “uncover systemic concentration risks that could threaten the stability of the financial sector”. Regulators require financial entities to submit Registers of Information that capture a variety of operational details, including critical business functions outsourced across the supply chain (to the best of their ability). Supervisory authorities hope this information will allow them to identify systemic risks at the fourth-party level and beyond.
However, simply complying with this requirement and waiting for regulatory insights is a reactive approach. It is unclear when regulators will complete this analysis and communicate their findings. Meanwhile, financial entities remain exposed to risks that exist beyond their direct visibility of third-party relationships. Proactively identifying and mitigating these risks is essential and collaboration is the only way to accomplish this.
Addressing the hidden risks
To effectively manage these risks, financial entities must proactively uncover hidden dependencies within their supply chains to identify previously unaccounted risks. A narrow focus on direct suppliers is no longer sufficient – systemic risks can ripple across the sector, impacting stability and resilience. By assessing the broader implications of disruptions, organisations can gain a more comprehensive view of potential vulnerabilities.
Additionally, scenario planning is essential. Financial institutions must evaluate how cyber threats, operational failures or disruptions from third- and fourth-party suppliers could impact their business. These proactive strategies not only enhance resilience but also position firms to respond swiftly to emerging threats.
Mapping critical suppliers and assessing their interdependencies can reveal hidden systemic risks, enabling informed decision-making. This may involve restructuring supplier relationships to mitigate exposure or a determination that a risk may be aligned with the risk tolerance of the board. True resilience requires more than just regulatory compliance; it demands proactive collaboration across the entire financial sector. By collectively mapping supply chains and sharing risk intelligence, financial institutions can anticipate threats before regulators do.
The power of a collaborative approach
Aggregating supply chain data across multiple financial entities helps reveal concentration risks that may go unnoticed when assessed individually. By merging supply chain maps, businesses can identify vulnerabilities and dependencies that could pose significant threats. Similarly, industry-wide concentration risk analysis helps prevent over-reliance on a single supplier, reducing the chances of widespread disruptions.
A collaborative approach plays a key role in strengthening risk management. Sharing risk signals allows peers to detect supplier issues others may have missed, encouraging the exchange of best practices and coordinated mitigation efforts. Peer-to-peer intelligence sharing further enables early detection of risks before they escalate. By taking an industry-wide approach to operational resilience planning, organisations can gain a broader perspective, moving beyond isolated assessments to ensure stronger, more effective risk management.
This proactive approach is aligned with the goals of financial entities with a mature cyber risk management programme, making hidden risks visible and enabling financial entities to anticipate and respond before disruptions occur.
By fostering collaboration, financial entities can move beyond simply complying with DORA and work together to develop a more robust operational resilience strategy.
